Intrusion Detection Overview
Terms you'll need to understand:
False positives, false negatives
True positives, true negatives
Host-based intrusion protection system (HIPS)
Network-based intrusion detection system (NIDS)
Profile-based intrusion detection (anomaly detection)
Signature-based intrusion detection (misuse detection)
Techniques you'll need to master:
Understanding IDS triggers
Recognizing intrusion detection evasive techniques
Describing the Cisco Secure Intrusion Detection System (CSIDS) environment
Understanding CSIDS communications
We saw in Chapter 2, "Introduction to Network Security," how the need for network security is growing and evolving with the increasingly open and interconnected nature of today's networks. In this chapter, we explore how IDS components work together to proactively secure the network environment against a backdrop of both amateur and sophisticated attacks.
This chapter provides an overview of intrusion detection concepts and the various methods employed to detect, monitor, and respond to network intrusions. This chapter will familiarize you with different IDS triggers, attack identification methods, and monitoring locations, as well as provide you with an overview of intrusion detection evasive techniques. It then describes the components of the Cisco IDS protection environment and how these parts work together to enforce a layered approach to network security.
In Chapter 2, we discussed the general need for network security and the role of intrusion detection within the security policy and Cisco security wheel. This chapter provides an overview of general IDS terminology before describing the Cisco IDS environment.
Predictably, there is disagreement among vendors on how to define network intrusions and attack signatures. So it's key to achieve a solid understanding of these concepts in order to implement, configure, and test the Cisco IDS Signature Series and micro-engines covered later in this book.
A network intrusion is a sequence of activities by a malicious individual that results in unauthorized security threats to a target network. The term signature refers to a set of conditions that, when met, indicate some type of intrusion event.
A false positive occurs when an IDS reports as an intrusion an event that is in fact legitimate network activity. A false negative occurs when the IDS fails to detect malicious network activity. Similarly, a true positive occurs when the IDS correctly identifies network activity as a malicious intrusion; a true negative occurs when the IDS does not report legitimate network activity as an intrusion.
A false positive is the result of an IDS firing an alarm for legitimate network activity. A false negative occurs when the IDS fails to detect malicious network traffic.
Attack signatures use five methodologies to detect intrusions:
Profile-based (anomaly) intrusion detection
Signature-based (misuse) detection
Pattern matching and stateful pattern matching
Protocol decode-based analysis
Profile-Based (Anomaly) Intrusion Detection
Profile-based intrusion detection, sometimes called anomaly detection, detects activity that deviates from "normal" activity. Profile-based anomaly detection depends on the statistical definition of normal and can be prone to a large number of false positives.
Signature-Based (Misuse) Intrusion Detection
Misuse detection, also known as signature-based or pattern matching detection, detects a pattern which matches closely to activity that is typical of a network intrusion. It's important to recognize that sometimes signature-based intrusion detection is associated only with pattern-matching or misuse detection and thus can be criticized for being incomplete. In fact, signature-based intrusion detection could use any or all of the five methodologies described here.
Pattern matching looks for a fixed sequence of bytes within a single packet; its deployment is straightforward. To filter traffic inspection, the pattern is also usually associated with a particular service and source or destination port. An example of pattern matching is firing an alarm if the packet is Internet Protocol version 4 (IPv4) and User Datagram Protocol (UDP), it has destination port 12570, and it contains the string "madison" in the payload.
However, many protocols and attacks don't make use of well-known ports, and pattern matching thus has difficulty detecting these kinds of attacks. Also, if the matching is based on a pattern that isn't so unique, a large number of false positives can result.
Stateful Pattern Matching
Stateful pattern matching adds to pattern-matching by searching for unique sequences that might be distributed across several packets within a stream. Stateful pattern matching could improve on the preceding example by firing an alarm if the string "mad" is detected in one packet and "ison" is detected in a subsequent packet. Stateful pattern matching, even though it's more specific than pattern matching, is still vulnerable to false positives. Modifications to an attack can also result in missed events or false negatives.
Protocol Decode-Based Analysis
You can think of protocol decode-based signatures as an intelligent extension of pattern matching. With this type of signature, the IDS searches for protocol violations, as defined by Requests for Comment (RFCs), and might also incorporate pattern matches for a particular field.
For example, consider an attack that runs over a hypothetical Multicast over Satellite Protocol (MSP) and uses an illegal argument xyz in the MSP Type field. Suppose also that the MSP has an Options field for which the valid options are qrs, tuv, and xyz. In the case of simple or stateful pattern matching, a high number of false positives would result because xyz is a valid value for the Options field. With protocol decode-based analysis, the IDS decodes MSP and only reports xyz values in the Type field.
Although this method is effective in reducing false positives for well-defined protocols, protocol violations are easily missed by the IDS if the protocol is ambiguous or loosely defined.
A heuristic-based signature uses an algorithm to determine whether an alarm should be fired. An example of this type of analysis and warning would be a signature that fires an alarm if a threshold number of unique ports are scanned on a particular host. The signature can also be limited to, say, SYN packets that are from a particular source, such as a perimeter router. Although heuristic-based signatures can be the only way to detect certain types of attacks, they require tuning and modification to better conform to their unique network environment. Moreover, heuristic scanning is CPU- and resource-intensive, so be sure to carefully weigh the benefits and drawbacks against your network security needs before implementing a large-scale heuristic-based solution.